perl-CGI-FormMagick/sme10/perl-CGI-FormMagick-0.93-csrf.patch

diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2005-10-31 18:24:02.000000000 +0100
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm       2018-10-10 08:17:20.871139677 +0200
@@ -79,6 +79,13 @@
     } else {
         $self->debug_msg("Validation successful.");
 
+        # Don't run any post event unless it's a POST request
+        return unless (($self->{cgi}->request_method || '') eq 'POST');
+        if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+            warn "CSRF protection blocked request\n";
+            return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+        }
+
         # find out what the form post_event action is. 
         my $post_form_routine = $self->{xml}->{'post-event'};
 
@@ -130,6 +137,14 @@
 sub page_post_event {
     my ($self) = @_;
     $self->debug_msg("This is the page post-event.");
+
+    # Don't run any post event unless it's a POST request
+    return unless (($self->{cgi}->request_method || '') eq 'POST');
+    if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+        warn "CSRF protection blocked request\n";
+        return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+    }
+
     if (my $post_page_routine = $self->page->{'post-event'}) {
       $self->debug_msg("The post-routine is $post_page_routine");
       $self->do_external_routine($post_page_routine);
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
@@ -182,6 +182,9 @@
     print qq(  <input type="hidden" name="page" value="$fm->{page_number}">\n);
     print qq(  <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
     print "  ",$fm->{cgi}->state_field(), "\n";        # hidden field with state ID
+    if ($fm->{cgi}->param('csrf_token_compare')){
+        print "  <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
+    }
     print "  <table class=\"sme-noborders\">\n";
 
     if ($menu)
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2013-01-25 18:31:36.000000000 +0100
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm      2018-10-09 17:00:30.323930724 +0200
@@ -24,6 +24,7 @@
 use CGI::FormMagick::Utils;
 use CGI::FormMagick::Sub;
 use File::Basename;
+use Session::Token;
 
 use strict;
 use Carp;
@@ -181,6 +182,7 @@
     $self->{charset}    = $args{charset} || 'UTF-8';
     $self->{cgi}        = $args{cgi};
     $self->{debug}      = $args{debug}      || 0;
+    $self->{csrf}       = $args{csrf} || 0;
 
     if ($self->{cgi}) {
         if ($args{sessiondir}) {
@@ -194,7 +196,11 @@
         local $^W = 0;
         $self->{cgi} = new CGI::Persistent $self->{sessiondir};
     }
-
+    # Create a CSRF token to compare later with. And store it in the session
+    if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
+        $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+        $self->commit_session;
+    }
 
     foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
         if (exists $args{$_}) {
1	jpp	1.2	diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
2			--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100
3			+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200
4			@@ -79,6 +79,13 @@
5			} else {
6			$self->debug_msg("Validation successful.");
7
8			+ # Don't run any post event unless it's a POST request
9			+ return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
10			+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
11			+ warn "CSRF protection blocked request\n";
12			+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
13			+ }
14			+
15			# find out what the form post_event action is.
16			my $post_form_routine = $self->{xml}->{'post-event'};
17
18			@@ -130,6 +137,14 @@
19	jpp	1.1	sub page_post_event {
20			my ($self) = @_;
21			$self->debug_msg("This is the page post-event.");
22	jpp	1.2	+
23			+ # Don't run any post event unless it's a POST request
24			+ return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
25			+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
26	jpp	1.1	+ warn "CSRF protection blocked request\n";
27			+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
28			+ }
29	jpp	1.2	+
30	jpp	1.1	if (my $post_page_routine = $self->page->{'post-event'}) {
31			$self->debug_msg("The post-routine is $post_page_routine");
32			$self->do_external_routine($post_page_routine);
33	jpp	1.2	diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
34			--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
35			+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
36	jpp	1.1	@@ -182,6 +182,9 @@
37			print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n);
38			print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
39			print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID
40			+ if ($fm->{cgi}->param('csrf_token_compare')){
41			+ print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
42			+ }
43			print " <table class=\"sme-noborders\">\n";
44
45			if ($menu)
46	jpp	1.2	diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
47			--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100
48			+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200
49	jpp	1.1	@@ -24,6 +24,7 @@
50			use CGI::FormMagick::Utils;
51			use CGI::FormMagick::Sub;
52			use File::Basename;
53			+use Session::Token;
54
55			use strict;
56			use Carp;
57			@@ -181,6 +182,7 @@
58			$self->{charset} = $args{charset} \|\| 'UTF-8';
59			$self->{cgi} = $args{cgi};
60			$self->{debug} = $args{debug} \|\| 0;
61			+ $self->{csrf} = $args{csrf} \|\| 0;
62
63			if ($self->{cgi}) {
64			if ($args{sessiondir}) {
65	jpp	1.2	@@ -194,7 +196,11 @@
66			local $^W = 0;
67	jpp	1.1	$self->{cgi} = new CGI::Persistent $self->{sessiondir};
68			}
69	jpp	1.2	-
70	jpp	1.1	+ # Create a CSRF token to compare later with. And store it in the session
71			+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
72			+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
73			+ $self->commit_session;
74			+ }
75
76			foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
77			if (exists $args{$_}) {